By Bruce Alexander
In a recent Rand study entitled Freedom and Information: Assessing Publicly Available Data Regarding U.S. Transportation Infrastructure Security, Rand researchers examined how publicly available data could be exploited by a terrorists to plan and conduct terrorist attacks.
Using a “red-team”, the researchers conceptualized a series of notional terrorist attacks using the publicly available information to plan their attacks. The research revealed two major findings. First,red-team members were able to identify
information that, with some exceptions, proved useful for planning terrorist attacks (based on six different notional attack scenarios). Second, publicly available information which might be useful to a potential terrorist varied
across information categories.
Detailed information about specific security procedures for the targets selected by the red-team was
the most difficult to find whereas general non specific information was readily available.
Based on these findings, the researchers recommended that polices and procedures regarding publicly available information should be continually reviewed and that publicly available should be considered as part of the vulnerability assessment process.
The study, which focused on transportation infrastructure, has implications for Executive Protection. All publicly available information on a protectee such as media reports, public records, tax rolls etc…should be reviewed, and analyzed from the perspective of how such information could be exploited by a potential attacker.
While there’s not a lot that can be done to eliminate information in public records, knowing what’s in those records are useful in developing vulnerability and threat assessments on a protectee. For example, the home address of a protectee obtained from a property record might be information which could be exploited by an adversary. Other public records might reveal the names of family members which in turn might be useful as a means of identifying and subsequently targeting those family members for harm.
Judges have wrestled with this issue for years. The Court Security Improvement Act of 2007 currently under consideration by the U.S. Senate specifically recognizes how publicly available information can be used to target members of the federal judiciary:
Protection of individuals performing certain official duties
(a) In General- Whoever knowingly makes restricted personal information about a covered official, or a member of the immediate family of that covered official, publicly available– (1) with the intent to threaten, intimidate, or incite the commission of a crime of violence against that covered official, or a member of the immediate family of that covered official; or
(2) with the intent and knowledge that the restricted personal information will be used to threaten, intimidate, or facilitate the commission of a crime of violence against that covered official, or a member of the immediate family of that covered official, shall be fined under this title, imprisoned not more than 5 years, or both.
(b) Definitions- In this section– (1) the term `restricted personal information’ means, with respect to an individual, the Social Security number, the home address, home phone number, mobile phone number, personal email, or home fax number of, and identifiable to, that individual;
Public sources of information, as well as the Internet, should be reviewed regularly for any information which might be useful to an adversary in targeting a protectee. Sources such as Lexis-Nexis© are very useful in screening media reports for content relating to a principal. Again, there might not be many options once that information is known however knowing what the bad guy knows is useful in and of itself.